Josep Mangas discusses the importance of knowing both the threats and the organization in e-commerce security, emphasizing trust and user experience. The document highlights how the Elastic Stack is utilized for security monitoring and log integration across various platforms to improve visibility and customer protection. Key takeaways include the need for active monitoring, automation, and leveraging machine learning for anomaly detection.

1. 1
Josep Mangas
Head of IT & Security, eDreams
Feb 18, 2020
eDreams - Powering
Security Monitoring with the
Elastic Stack

2. If you know the enemy and know
yourself you need not fear the
results of a hundred battles
Sun Tzu - The Art of War

3. 3
Knowing eDreams ODIGEO

4. 4
Early lessons learned
• Security trends to focus on knowing the “enemy”, but you need to know
yourself first.
• In an e-commerce, the most important thing is trust and ease of use while
buying.
• The biggest threat is that something could affect the customer experience
and he/she doesn’t buy

5. 5
Have we done our homework?
• In the case of eDreams:
• How are customers interacting with our e-commerce platform?
• How do they buy?
• What is a “normal” customer behaviour?
• Which are the main endpoints?
• Where are the critical APIs?
• How are the different flows?
• In order to protect our site, we need to know what to protect.
• And it is not about TECHNOLOGY! It is about covering the BASICS!

6. 6
Looking for the right tripmate
• What tool do we use that help us to “discover” our site and could be flexible
enough for short-term needs and long-term needs?
• Elastic was already used by the DevOps team, so it was an easy choice
• Open and flexible
• Unify logging environments
• Rapid deployment and ROI
• Can add value in other fields (compliance, fraud)
• Widespread knowledge
• Interesting roadmap
• Fits into the Agile mindset

7. 7
Elastic as a solution that fits well,
• Log integration in three different environments.
• E-commerce Site on Prem
• E-commerce Site cloud base (GCP)
• Corporate IT (the usual suspects)
• Log identification (user behaviour, payment flow, ids, vpn, saml, SaaS, AD …)
• Wazuh - Compliance (PCI-DSS)
• MISP integration
• Dashboards ready to use within minutes
• Hep to better know ourselves
• Hypothesis checker
• Self made index and pre-processing
1st Phase, Gathering

8. 8
• Active monitoring of
relevant assets.
• TimeLion, Alert, SIEM,
Geolocation, ASN
• Dashboards everywhere
business, technical and
non-technical
• Support processes
with other areas
• Discover correlations
• Free the information
• SIEM… maturing
• Alarm
• Slack
• Testing ML
• Integration with rest of
the teams
• Moving to Cloud
• Cross nodes queries
• More and more alerts
• More and more business
cases
• Adding new Elastic Stack
functionalities
Maturing & Improving
Visibility
Automating & Integrating Centralizing and new
functionalities
Elastic as a solution that fits well,

9. 9
Some Figures
• 3 Clusters (15 nodes)
• 2 x 6 nodes ( 3 Master + Data , 3 Data)
• 3 nodes ( 3 Master + Data)
• ~250 GB x day and 25 M Documents
• V 7.4. And Wazuh 3.10
• ~ 60 Dashboards
• 3 ML jobs
• Cross-Clusters Query
• Integration with MISP and GeoIP
Looking forward … to a unique bigger cluster (GCP)

10. 10
Automation, the next frontier
• Identify business case / need
• Do we have the source?
• How is it shown at Elastic level?
• What are the normal / abnormal thresholds?
• Set up Alert, Integrate with Slack, Define Playbook, Escalate to team owner

11. 11
Machine Learning, discovering the unknown
• Identify business case / need
• When need to find the hidden (WIP)
• Again, you know yourself and your customers.
• You expecting things go one known way.
• ML can help you to detect things that divert from the Happy Path.

12. 12
Late Lessons Learnt
• Identify business case / need
• Use ECS from the beginning.
• Minimize pre-parsing
• Invest in others people’s time.
• It will speed up your deployment
• Have in mind what you’re looking for
• That helps to identify relevant sources of information.
• Check Hypothesis.
• Share the insights you create
• The info can be helpful for other teams.
• Test new capabilities of the Elastic stack.
• And challenge the old ones.

13. Q&A, by the (fake) futbolin